eBay's handling of cyber attack 'slipshod'

A British security expert has branded eBay’s reaction to a huge cyber attack
“slipshod” as emails warning customers that their personal details were
stolen have still not been sent out, almost 24 hours after news of the
security breach was inadvertently leaked

Millions of eBay users have had their personal details stolenPhoto: AP

A British security expert has branded eBay’s reaction to a huge cyber attack “slipshod” as emails warning customers that their personal details were stolen have still not been sent out, almost 24 hours after news of the security breach was inadvertently leaked.

The online auction site accidentally revealed news of the attack yesterday morning when the PayPal blog briefly posted a message with the headline "eBay, Inc. to Ask All eBay users to Change Passwords." but without any other content other than the words "placeholder text".

Hours later eBay publicly admitted that hackers had stolen the names, email and postal addresses, phone numbers and dates of birth of all users. Passwords were also stolen, although these were encrypted.

It announced that it would be sending emails to all customers warning them to change their passwords, and to take the same step at other websites if they use the same password there. But these have yet to be sent out, and a warning message on the front page of the website was only added this morning.

“I think they should have that right from the off,” said computer security expert Graham Cluley. “Obviously they’ve got a lot of people to tell. But I think their whole handling of this has been quite sloppy.

“I haven't seen anybody yet who’s reporting that they’ve had an email, and that seems to me to be a bit slipshod.

“Initially news of the breach leaked out through some placeholder text, then that got removed. Back at that point I was warning people ‘I’ve changed my email password and I think you should too’.

“I don’t think they’ve handled it very well. Also, the breach happened a couple of months ago, so either they’ve been tardy or they didn’t notice.”

He said that the company had failed to provide enough information to accurately assess the severity of the attack, such as how strongly they encrypt users’ passwords.

“We still don’t know whether that’s a password that could be easily decrypted by hackers, there is still potential that that’s the case. Even if they only have personal details, that’s enough to put together a very convincing email to get people to click on a link. Those are jigsaw pieces to your identity, which are stepping stones to identity theft. People trusted eBay with that data," he said.

“Encryption can be decrypted. But there are forms of one-way encryption that makes them harder to attack…we don’t have really good information on how exactly they were stored.”

It is thought that hackers were able to steal the usernames and passwords belonging to some members of staff, and then use those to access customer data. But Cluley said that additional security measures should have been in place internally to stop staff having such easy access to the data, such as two-factor authentication.

“That makes life much harder for the criminals,” he said. “There should have been some hoops to jump through, and that would have stopped the hackers, clearly they didn’t have that in place.”

The company has said that it is "aggressively investigating the matter" along with law enforcement agencies and will be using the "best forensic tools".

An eBay spokesperson told the Telegraph this morning: "We know that customers are concerned, and want us to fix this issue straight away, and we are working hard to do just that.

"Our first priority is and always has been to protect our users' information and ensure we correctly deal with the technical challenges such a situation brings, and that is why as a first step we have requested all users change their passwords. Other steps, including email notification, will follow and we will ensure all eBay users have changed their passwords over the coming days."